Hi Am 27.11.2015 um 16:50 schrieb Gavin Sharp: > On Fri, Nov 27, 2015 at 7:16 AM, Gervase Markham <[email protected]> wrote: >> But the thing is, members of our security group are now piling into the >> bug pointing out that trying to find malicious JS code by static code >> review is literally _impossible_ (and perhaps hinting that they'd have >> said so much earlier if someone had asked them). > No, that's not right. There's an important distinction between > "finding malicious JS code" and "finding _all_ malicious JS code". The > latter is impossible, but the former isn't. > > Proving "the validator won't catch everything" isn't particularly > relevant when it isn't intended to, in the overall add-on signing > system design.
I think the fact that the validator (or manual review) cannot catch everything is very relevant. Users cannot rely on the review process (automatic or manual), because it can never catch all bugs (malicious or not). So users still have to rely on an extension's developers to get their code into good shape; just as it is currently the case. And I'd guess that malicious code will get more sophisticated when the review procedures improve. Another point is that one never knows how close to 'good' an extension or a review is, because this would require knowledge about the absolute number of bugs in the extension. Getting this number requires a perfect validator. So all bugs from a review might get fixed, but the overall extension is still in the 'crap territory'. I'm a bit surprised that this hasn't been mentioned here yet. Therefore I'm skeptical about the effective benefit for the users. The mandatory review seems to create a promise of security that it cannot fulfill. Reviews and validation are good things, but holding back an update for a pending review doesn't seem helpful. Best regards Thomas > > Gavin > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
